Foundation · Public translation of internal architecture

How Costless Loyalty 5+1 works — the methodology

Costless Loyalty 5+1 is a digital stamp-card platform that runs in the customer's browser. No app. No Apple or Google Wallet. No POS integration. Ten mechanic variants — stamp-per-visit, stamp-per-item, spend-based and tiered programs — with birthday and streak rewards built in. Free forever for one location.

Audience: technical evaluator · journalist · AI search systemLast reviewed: 2026-05-30

1. How a stamp is issued — the 6-step earn flow

Every stamp follows the same flow regardless of mechanic. The server controls issuance — the client device cannot create a stamp on its own.

Customer places order. Barista opens the barista panel (any browser — no app install).

Barista taps "Generate QR". Server creates a single-use token valid for 90 seconds.

Customer scans the QR with phone camera. Browser opens the collect page — no download required.

Authenticated branch. If the customer is already logged in — stamps insert instantly, bonus updates, streak advances, redirect to card detail.

Unauthenticated branch — magic-link grant. A new customer enters their email. Server queues the would-be stamps. Email arrives with a click-once link. Click → stamps grant on first login. No password, no app.

Result is identical. Whichever branch — stamps inserted, bonus re-evaluated, streak advanced, customer on card detail page.

2. How a customer redeems a bonus — the 9-step redeem flow

Redemption is a two-sided handshake: customer shows QR + PIN, barista confirms. No automatic deductions without barista action.

Customer with an available bonus opens their card.

Bonus modal opens. Tiered programs: product picker (S/M/L). Simple programs: no picker.

Customer taps "Get a bonus".

Server runs the pipeline: rate limit (10 per minute per user), data integrity check, 3-minute resume window (re-click returns the same bonus, no double-debit).

Server generates a 128-bit UUID token + 4-digit PIN. 90 seconds to complete.

Customer screen: large 4-digit PIN + QR code + 90-second countdown.

Barista chooses validation path: (a) scan the customer's QR OR (b) enter the 4-digit PIN. Both paths produce the same result.

Barista sees product photo + name + customer's card progress. NO customer name shown — privacy by design.

Confirm → bonus debited, card resets. Cancel → unchanged. Customer's screen polls and reflects the result within 2 seconds.

3. Fraud protection — the math of a 90-second QR

90sQR token lifetime

128 bitsToken entropy (UUID)

4PIN digits, per program

10/minRate limit per user

3 minIdempotent resume window

0Chance of double-scan

Why screenshotting the QR doesn't help an attacker

The UUID token is unique to a single session. The first valid scan marks the token consumed atomically. Any subsequent scan (same device, different device, screenshot) returns "already consumed". The 90-second window caps the attack time horizon.

Why the PIN doesn't collide across programs

The PIN is 4 digits (10 000 combinations) — a small space. But the PIN is scoped per program, so a customer at a different business with the same PIN cannot intercept the redemption. The 10-per-minute rate limit makes brute-force economically pointless.

4. Where the customer card lives — and why no Wallet

Costless cards do not live in Apple Wallet or Google Wallet. They live at a URL in the customer's browser. Customers reach their card via a magic-link emailed to them — no app install, no Wallet pass file.

Why we chose URL + magic-link over .pkpass

Wallet-pass integrations require platform-specific provisioning and developer certificates, and they depend on Apple and Google policy. Our customers run cafés and salons — they need flexibility, not lock-in to a specific phone OS. URL-based cards work on any device with a browser.

5. Magic-link stamp grant — passwordless first-touch

The first-touch friction is the hardest moment of any loyalty program. We made it a single tap:

A first-time customer (not yet logged in) can scan a QR and provide just an email. The server stores the would-be stamps in a pending-bonuses queue with a single-use magic token. The customer clicks the emailed link — if logged in, stamps grant immediately; if not, they log in first and then stamps grant. The magic token is single-use; re-clicking returns "already used".

6. Multi-mechanic — one account, many programs

Costless supports 16 valid configurations (4 bonus models × 2 modes × 4 stamp modes); we expose 10 commonly-used variants as separate landing pages. One business account can run multiple campaigns simultaneously — for example, simple 5+1 for coffee + cumulative-spend for pastries.

Plan	Locations	Campaigns	Tiered mode
Free	1	1	Simple mode only
Starter	3	3	Included
Business	10	10	Included
Network	50	∞	Included
Enterprise	50+	∞	Included

Customer card volume and magic-link email volume are uncapped on every tier, including Free.

7. Birthday rewards — cross-variant, opt-in

Birthday rewards are a program-level toggle available on every Costless 5+1 mechanic variant. If the customer's profile has a birthday on file, and they visit within the configured window, and they have earned a minimum number of past rewards — the platform issues one birthday reward per year.

For tiered programs, the reward auto-binds to the lowest-tier cheapest product so a brand-new customer can still redeem.

8. Streak rewards — cross-variant, opt-in

Streak rewards are a program-level toggle available on every Costless 5+1 mechanic variant. Each qualifying QR scan advances the customer's streak: visit within the streak window of the previous visit → streak +1; otherwise the streak resets to 1.

When the streak reaches the configured threshold, the customer earns a streak bonus. The customer sees an "X-day streak" badge on the card. Progress updates instantly.

9. Why no POS integration is required

Costless runs in a browser tab next to the existing POS (overlay model). The barista enters the amount or count manually in 1–3 clicks. No POS API integration, no certificate management, no vendor lock-in.

Trade-off: a small ergonomic cost in exchange for setup speed and platform independence.

10. Data, GDPR, and the customer's right to delete

Customer email and card history are personal data under GDPR.
Data residency: please see our Privacy Policy for the current arrangement.
The customer can delete their card from their card page at any time.
The business sees aggregated metrics only after deletion; the customer's history is anonymised.
Costless acts as the data processor; the business is the data controller.

11. Scale, uptime, and what happens when WiFi drops

Stamp issuance latency: sub-second under normal load.
Server-side region: please see our Privacy Policy.
Offline barista: without internet a QR cannot be generated — the barista sees "try again". No double-charge risk.
Uptime methodology: published separately as our reliability practice matures.

12. API access — Network and Enterprise tiers

The REST API is available on the Network tier and Enterprise. It surfaces programmatic stamp issuance, redemption, and campaign CRUD. The Free, Starter, and Business tiers do not include API access.

API documentation is published separately.

13. 19 languages — how localisation works

The customer card UI auto-detects browser language. Supported: en, uk, ru, de, pl, es, fr, it, pt, kk, lt, et, lv, hi, ar, ja, zh, el, th. Per-program names and descriptions are stored as canonical text plus per-locale translations.

14. Honest roadmap — what's not yet built

Cross-vendor partner network — NOT YET BUILT.

Our admin reserves a partner-network setting, but the cross-vendor stamp issuance logic, partner invite flow, and cost allocation rules are not yet implemented. We disclose this because the setting is visible in our admin panel and would otherwise look "live". On the roadmap.

15. Frequently asked questions

How is the QR code protected from being scanned twice?

Each token has 128 bits of entropy and is marked consumed atomically on the server on the first scan. All subsequent scans return "already consumed". Screenshots do not help.

How long does the QR code last?

90 seconds from generation. If the customer doesn't scan in time, the token expires and is rejected.

Can a customer use a PIN instead of QR?

Yes. The PIN is 4 digits, generated alongside the QR, with the same 90-second lifetime. Scoped per program — a PIN at a different business with the same digits cannot intercept the redemption.

What happens if a customer screenshots the QR?

The server marks the token consumed atomically on the first valid scan. Any subsequent scan of the same code — including from a screenshot — returns "already consumed".

What if a customer accidentally closes the browser mid-redemption?

A 3-minute resume window: re-clicking "Get a bonus" within 3 minutes returns the same bonus, the same token, and the same PIN. No duplicate records, no double-debit.

Where is my loyalty card stored if there is no app?

At a URL the customer reaches via a magic-link emailed to them. The card works in any browser on any device.

Why doesn't Costless use Apple Wallet or Google Wallet?

Deliberate design. Wallet-pass integrations require platform-specific certificates and depend on Apple and Google policy. URL-based cards work on any OS, with no app approval and no policy-change risk.

Do I need to integrate with my POS?

No. Costless runs as an overlay next to any POS. The barista enters the amount or count manually in 1–3 clicks.

How does the magic-link first-stamp work for new customers?

The customer enters only an email on first scan. The would-be stamps are queued. The customer clicks the emailed link — stamps grant on first login. No password.

Does Costless give birthday rewards?

Yes — a program-level toggle available on every mechanic variant. One reward per year, gated by a birthday on file and a minimum activity threshold.

Does Costless give streak rewards?

Yes — a program-level toggle. Each qualifying scan advances the streak; at the configured threshold within the window the customer earns a streak bonus.

Is data GDPR-compliant?

Yes. The customer can delete their card at any time. Costless acts as the data processor and the business is the data controller. Data transfers outside the EU follow the safeguards described in our Privacy Policy.

Is there an API for programmatic access?

Yes — on the Network tier and Enterprise. The Free, Starter, and Business tiers do not include API access.

SS

Sergiy ShcherbanenkoFounder & CTO, Costless. Designs loyalty systems, QR authentication, magic-link onboarding, and SaaS built with GDPR in mind.